Monthly Archives: June 2010

Botnet for RSA cracking?

30 June 2010 – 2:29 pm

I read an interesting article about putting 1.000.000 computers, given the chance for a serious botnet owner to get it, to crack RSA.

The result is that in such context attacking an RSA 1024bit key would take only 28 years, compared to theoretical 19 billion of years.

Reading of this article, is extremely interesting because it gives our very important consideration on the cryptography strength respect to the computation power required to carry on cracking attempt, along with industry approach to “default security level”.

I would say a must read.

Tags encryption, Privacy | Comment (0)

technology

Patent rights and opensource: can they co-exist?

27 June 2010 – 12:11 pm

How many of you had to deal with patented technologies?

How many of the patented technologies you dealed with was also “secrets” in their implementation?

Well, there’s a set of technologies whose implementation is open source (copyright) but that are patented (intellectual property right).

A very nice paper about the topic opensource & patents that i suggest to read is from Fenwick & West and can be downloaded here (pdf).

Comment (0)

business cyberwarfare intelligence Privacy security technology

China Encryption Regulations

16 June 2010 – 1:11 pm

Hi all,

i found this very interesting paper on China Encryption Import/Export/Domestic Regulations done by Baker&Mckenzie in the US.

It’s strongly business and regulatory oriented giving a very well done view on how china regulations works and how it may behave in future.

Read here Decrypting China Encryption’s Regulations (form Bakernet website) .

Tags business, cyberwarfare, encryption, Privacy, voicesecurity | Comment (0)

security

IOScat – a Port of Netcat to Cisco IOS

13 June 2010 – 3:25 pm

A porting of famous netcat to Cisco IOS router operating system: IOSCat

The only main limit is that it does not support UDP, but that’s a very cool tool!

A very good txt to read is Netcat hacker Manual.

Tags hacking | Comment (0)

cyberwarfare intelligence interception security

The (old) Crypto AG case and some thinking about it

7 June 2010 – 6:40 pm

In the ’90, closed source and proprietary cryptography was ruling the world.

That’s before open source and scientifically approved encrypted technologies went out as a best practice to do crypto stuff.

I would like to remind when, in 1992, USA along with Israel was, together with switzerland, providing backdoored (proprietary and secret) technologies to Iranian government to tap their communications, cheating them to think that the used solution was secure, making also some consideration on this today in 2010.

caq63crypto.t.jpg

That’s called The Crypto AG case, an historical fact involving the United States National Security Agency along with Signal Intelligence Division of Israel Ministry of Defense that are strongly suspected to had made an agreement with the Swiss cryptography producer company Crypto AG.

Basically those entities placed a backdoor in the secure crypto equipment that they provided to Iran to intercept Iranian communications.

Their crypto was based on secret and proprietary encryption algorithms developed by Crypto AG and eventually customized for Iranian government.

You can read some other facts about Crypto AG backdoor related issues:

The demise of global telecommunication security

The NSA-Crypto AG sting

Breaking codes: an impossible task? By BBC

Der Spiegel Crypto AG (german) article

Now, in 2010, we all know and understand that secret and proprietary crypto does not work.

Just some reference by top worldwide cryptographic experts below:

Secrecy, Security, Obscurity by Bruce Schneier

Just say No to Proprietary cryptographic Algorithms by Network Computing (Mike Fratto)

Security Through Obscurity by Ceria Purdue University

Unlocking the Secrets of Crypto: Cryptography, Encryption and Cryptology explained by Symantec

Time change the way things are approached.

I like very much the famous Philip Zimmermann assertion:

“Cryptography used to be an obscure science, of little relevance to everyday life. Historically, it always had a special role in military and diplomatic communications. But in the Information Age, cryptography is about political power, and in particular, about the power relationship between a government and its people. It is about the right to privacy, freedom of speech, freedom of political association, freedom of the press, freedom from unreasonable search and seizure, freedom to be left alone.”

Any scientist today accept and approve the Kerckhoffs’ Principle that in 1883 in the Cryptographie Militaire paper stated:

The security of a cryptosystem should not depend on keeping the algorithm secret, but only on keeping the numeric key secret.

It’s absolutely clear that the best practice for doing cryptography today obbly any serious person to do open cryptography, subject to public review and that follow the Kerckhoff principle.

So, what we should think about closed source, proprietary cryptography that’s based on security trough obscurity concepts?

I was EXTREMELY astonished when TODAY, in 2010, in the age of information society i read some paper on Crypto AG website.

I invite all to read the Crypto AG security paper called Sophisticated Security Architecture designed by Crypto AG of which you can get a significant excerpt below:

The design of this architecture allows Crypto AG to provide a secret proprietary algorithm that can be specified for each customer to assure the perfect degree of cryptographic security and optimum support for the customer’s security policy. In turn, the Security Architecture gives you the influence you need to be fully independent in respect of your encryption solution. You can determine all areas that are covered by cryptography and verify how the algorithm works.The original secret proprietary algorithm of Crypto AG is the foundation of the Security Architecture.

I have to say that their architecture is absolutely good from TLC point of view. Also they have done a very good job in making the design of the overall architecture in order to make a tamper-proof resistant crypto system by using dedicated crypto processor.
However there is still something missing:

The overall cryptographic concept is misleading, based on wrong encryption concepts.

You may think that i am a troll telling this, but given the history of Crypto AG and given the fact that all the scientific and security community does not approve security trough obscurity concepts, it would legitimate to ask ourself:

Why they are still doing security trough obscurity cryptography with secret and proprietary algorithms?

Hey, i think that they have very depth knowledge on telecommunication and security, but given that the science tell us not to follow the secrecy of algorithms, i really have serious doubt on why they are still providing proprietary encryption and does not move to standard solutions (eventually with some kind of custom enhancement).

Tags cyberwarfare, encryption, policy, voicesecurity | Comment (0)

cyberwarfare intelligence security

Missiles against cyber attacks?

7 June 2010 – 5:40 pm

The cyber conflicts are really reaching a point where war and cyberwar merge together.

NATO countries have the right to use the force against attacks on computer networks.

Tags cyberwarfare, policy | Comment (0)

business interception Privacy security technology

Mobile Security talk at WHYMCA conference

2 June 2010 – 7:56 pm

I want to share some slides i used to talk about mobile security at whymca mobile conference in Milan.

Read here my slides on mobile security .

The slides provide a wide an in-depth overview of mobile security related matters, i should be doing some slidecast about it putting also audio. Maybe will do, maybe not, it depends on time that’s always a insufficient resource.

Tags business, encryption, hacking, mobile, Privacy, voicesecurity, zrtp | Comment (0)

Privacy security technology

iPhone PIN: useless encryption

1 June 2010 – 2:53 pm

I recently switched one of my multiple mobile phones with which i go around to iPhone.

I am particularly concerned about data protection in case of theft and so started having a look around about the iPhone provided protection system.

There is an interesting set of iPhone Business Security Features that make me think that iPhone is moving in the right path for security protection of the phone, but still a lot of things has to be done, especially for serious Enterprise and Government users.

For example it turned out that the iPhone PIN protection is useless and it can be broken just plugging the iPhone to a Linux machine and accessing the device like a USB stick.

That’s something disturbing my paranoid mindset that make me think not to use sensitive data on my iPhone if i cannot protect my data.

Probably an iPhone independent disk encryption product would be very useful in order to let the market create protection schemas that fit the different risk contexts that different users may have.

Probably a general consumer is not worried about this PIN vulnerability but for me, working within highly confidential envirnonment such as intelligence, finance and military, it’s something that i cannot accept.

I need strong disk encryption on my mobile phone.

I do strong voice encryption for it, but it would be really nice to have also something to protect the whole iPhone data and not just phone calls.

Tags encryption, hacking, mobile, Privacy, voicesecurity | Comment (0)

security Uncategorized

Who extract Oil in Iran? Business and UN sanction together

1 June 2010 – 9:21 am

I like geopolitic and i am following carefully iran issues.

I went to National Iranian Oil Company website and have seen “Exploration & Production” section where are listed all the companies and their country of origin that are allowed to make Exploration of oil in Iran.

On that list we find the list of countries along with the data of signing of exploration agreement:

Norway/Russia (2000)
Australia/Spain/Chile (2001)
India (2002)
China (2001)
Brazil (2004)
Spain (2004)
Thailand (2005)
China x 2 (2005)
Norway (2006)
Italy (2008)
Vietnam (2008)

Those countries’s oil companies are allowed to do oil extraction in Iran and i would like to point out that Iran is the 2nd world Oil Reserve just after Saudi Arabia.

As you can see there’s NO USA company doing extraction.

Of European Countries the only one doing business with IRAN are:

IRAN Norway Relationship

IRAN ITALY Relationship

IRAN SPAIN Relationship

While of the well known non-US-simpatizing countries, the one doing Oil business with Iran are:

IRAN RUSSIA Relationship

IRAN BRAZIL Relationship

IRAN China Relationship

Don’t missing some Asian involvement.

IRAN India Relationship

IRAN Vietnam Relationship

As you can see Iran is doing Oil business with most big south America and Far Asia countries, with some little exception in Europe for what apply to Norway, Italy and Spain.

To me it sounds that those European countries are going to face serious trouble whether they will accept and subscribe UN sanction against Iran.

Or some of them, like Italy, are protected by the strenghtening cooperation they are doing with Russia on Energy matters?

Well, i don’t know how things will end up, but it’s possible the most hypocrit countries like the European ones doing business in Iran while applying Sanctions will be the only European winning in the international competition for Iran Oil (Unless France did not drop a nuclear bomb on theran ;) ).

Tags civilrights, policy | Comment (0)